See Executive Order 13556

Alert: NIST has published the final versions of Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information.

See NIST Regulations for Protecting Controlled Unclassified Information CUI

As required by the federal government, CUI can only be stored and processed on IT systems that have been risk assessed to comply with NIST SP 800-171 standards. Therefore, UVM Investigators who will engage in a sponsored project that will require the use of CUI can only do so within an approved CUI environment.

CUI environments must be approved by UVM’s Information Security Officer, Scott Carbee.

Investigators, should not engage, accept, or receive CUI for any reason or purpose until an appropriate Information Security Plan (ISP) is in place and approved by the UVM Chief Information Security Officer.

Where SPA identifies a CUI Project, SPA will connect the Principal Investigator to the UVM Information Security Officer who will then work with the research team to develop an appropriate Information Security Plan (ISP), which safeguards the CUI and controls unauthorized dissemination.

For any reason a SPA project is not initially identified as using CUI in the work, it is the responsibility of the Investigator to initiate an Information Security Plan by contacting our Research Compliance Officer, Victoria Jones and our Information Security Officer, Scott Carbee.

• University Operating Procedure (UOP): Controlled Unclassified Information (PDF)
• SPA Procedures: Review for Controlled Unclassified Information (CUI) at time of Proposal and at time of Contracting (PDF)